App Security Requires Preparation, Deployment and Follow Through

When it comes to the app space, the choice facing modern e-commerce brands seems almost unfair: release an app so as many customers as possible can enjoy the convenience and mobile access it provides, or, protect yourself and your users from potentially crippling cyberattack. There is overwhelming pressure for online companies to adopt advanced technology features—but in many cases those companies' application data security practices are simply not ready to run them safely.

The risks associated with a faulty app, or a sound app rolled out with poor security practices and insufficient application security testing, are enormous—just ask Under Armour, or IKEA, or even the ironically named TeenSafe.1,2,3 Not only can an attacker steal a company's data or funds directly, they can have a much more damaging impact on the company's reputation, as well. An e-commerce company can't survive if their users don't feel safe completing an e-commerce transaction—and these days, it takes very little to spook a user about data security.

Here are some best practices when integrating an app into your e-commerce workflow.

 

Encryption, encryption, encryption

Encryption is your first and last line of defense against malicious cyber actors. It's important to make sure that you choose/build an app infrastructure that automatically encrypts every single packet of data that leaves the app for any reason. Even seemingly innocuous data can give an attacker an in-road to more sensitive portions of the system. Cryptographic keys should be stored in secure containers, remotely, on a server with good physical security—physical as in thick doors, strong locks and even human security details.

But encryption should have a greater role than just securing communications. Consider encrypting your source code, as well. One of the most common forms of attack is to inject malicious code into an otherwise legitimate app structure and use the legitimate-looking nature of it to piggyback criminal code into even cautious users' systems. Encrypting your source code prevents this, preventing easy editing of the app's DNA.

Code your app for security, from bottom to top

A mobile app is a complex beast whether you're buying into an existing standard or commissioning the creation of all new code. In either case, you should make sure that your app conforms to the principle of least privilege: when executing a command, the app should allow only the permissions and levels of access that are absolutely required to complete the given task.

APIs, for instance, are one oft-overlooked area of an app's back-end, since they are nominally outward-facing and are sometimes dismissed as too peripheral to offer many real inroads to attackers; this is wrong. Hackers are experts at ratcheting from small wins to big ones—don't let them get a toehold by initiating a peripheral process that opens permissions to more sensitive areas.

Obvious measures, like required two-factor user authentication, have a role to play, but they are useless if their extra security is undercut by the app's other, more infrastructure-level technology choices. Your security team (and you should have one) must be involved from the very beginning of the app creation process, talking to both your own developers and any outside contractors to ensure that they will be able to secure the final product.

 

Managing change is important in application data security

Read this article all the way through to the end, and almost by definition it's out-of-date. That's how quickly the cybersecurity space is evolving, and it can leave even strong, well-coded security measures in the dust. To a shockingly large extent, this just means being diligent in keeping your software up-to-date with the latest official security patches.4

The next imperative is to test, test and test again. Intrusion experts (essentially reformed hackers) are a great resource, as they try every trick in the book to get your users' data. If they succeed, they hand over a record of their procedures. The NSA uses a version of this sort of application security testing through its "Red Team" hacker group, which tries to hack US infrastructure so that the "Blue Team" can learn to guard against their innovative attacks.5

 

Your company is an herbivore surrounded by predators

Your company likely doesn't need to get quite that elaborate, but take the lesson: testing, even pointed and aggressive testing, can be the key to remaining secure in an ever-changing environment. Attacks are evolving in isolation from your app, meaning that your app must evolve defenses on its own or risk being totally unprepared when a new apex predator appears without warning.

At the end of the day, the only real secret to app security is diligence. That diligence must come into play when choosing and designing modules for your app, when interacting with real users and when maintaining your systems with the latest updates. It must be born of an understanding that security is the single most important aspect of the service you provide to customers. If your company sells hubcaps and compromises its customer's personal or financial information, all the hubcaps in the world won't fix your standing in the market.

1. Shabban, Hamza. "Under Armour Announces Data Breach, Affecting 150 Million MyFitnessPal App Accounts." March 29, 2018. https://www.washingtonpost.com/news/the-switch/wp/2018/03/29/under-armour-announces-data-breach-affecting-150-million-myfitnesspal-app-accounts/
2. "Ikea App TaskRabbit Reveals Security Breach." April 17, 2018. https://www.bbc.com/news/technology-43796596
3. Ong, Thuy. "Teen-monitoring App TeenSafe Leaks Thousands of User IDs and Passwords." May 21, 2018. https://www.theverge.com/2018/5/21/17375428/teensafe-app-breach-security-data-apple-id
4. Software, Flexera. "Flexera Publishes Vulnerability Review 2018: Top Desktop Apps." GlobeNewswire News Room. June 27, 2018. Accessed July 26, 2018. https://globenewswire.com/news-release/2018/06/27/1530261/0/en/Flexera-Publishes-Vulnerability-Review-2018-Top-Desktop-Apps.html
5. Kaplan, Fred. "Inside "Eligible Receiver"." March 7, 2016. http://www.slate.com/articles/technology/future_tense/2016/03/inside_the_nsa_s_shockingly_successful_simulated_hack_of_the_u_s_military.html